diff --git a/config.cfg b/config.cfg
index c3644d1..4e03122 100644
--- a/config.cfg
+++ b/config.cfg
@@ -16,6 +16,8 @@ records = [
     "auth.example.org. NS ns1.auth.example.org.",
     "auth.example.org. NS ns2.auth.example.org.",
 ]
+# debug messages from CORS etc
+debug = false
 
 
 [api]
@@ -24,11 +26,15 @@ records = [
 api_domain = ""
 # listen port, eg. 443 for default HTTPS
 port = "8080"
-# possible values: "letsencrypt", "cert", "false"
-tls = "letsencrypt"
+# possible values: "letsencrypt", "cert", "none"
+tls = "none"
 # only used if tls = "cert"
 tls_cert_privkey = "/etc/tls/example.org/privkey.pem"
 tls_cert_fullchain = "/etc/tls/example.org/fullchain.pem"
+# CORS AllowOrigins, wildcards can be used
+corsorigins = [
+    "web.example.org"
+]
 
 [logconfig]
 # logging level
diff --git a/main.go b/main.go
index cce4118..b24c89a 100644
--- a/main.go
+++ b/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"fmt"
+	"github.com/iris-contrib/middleware/cors"
 	"github.com/kataras/iris"
 	"github.com/miekg/dns"
 	"github.com/op/go-logging"
@@ -81,6 +82,13 @@ func main() {
 
 	// API server and endpoints
 	api := iris.New()
+	crs := cors.New(cors.Options{
+		AllowedOrigins:     DnsConf.Api.CorsOrigins,
+		AllowedMethods:     []string{"GET", "POST"},
+		OptionsPassthrough: false,
+		Debug:              DnsConf.General.Debug,
+	})
+	api.Use(crs)
 	var ForceAuth AuthMiddleware = AuthMiddleware{}
 	api.Get("/register", WebRegisterGet)
 	api.Post("/register", WebRegisterPost)
@@ -93,7 +101,6 @@ func main() {
 	case "cert":
 		host := DnsConf.Api.Domain + ":" + DnsConf.Api.Port
 		api.ListenTLS(host, DnsConf.Api.Tls_cert_fullchain, DnsConf.Api.Tls_cert_privkey)
-
 	default:
 		host := DnsConf.Api.Domain + ":" + DnsConf.Api.Port
 		api.Listen(host)
diff --git a/types.go b/types.go
index 02a282e..fa133bd 100644
--- a/types.go
+++ b/types.go
@@ -26,6 +26,7 @@ type general struct {
 	Domain        string
 	Nsname        string
 	Nsadmin       string
+	Debug         bool
 	StaticRecords []string `toml:"records"`
 }
 
@@ -36,6 +37,7 @@ type httpapi struct {
 	Tls                string
 	Tls_cert_privkey   string
 	Tls_cert_fullchain string
+	CorsOrigins        []string
 }
 
 // Logging config